28 November 2016

Web Application Vulnerabilities

I'm
working with Web Application Firewalls (WAF) lately where I have to
interact closely with developer teams to know how applications work
to apply security policies for protection of the layer 7 against XSS
attacks, SQL injection attacks or CSRF attacks. Actually,
it's important to know how web application work to allow the maximum
length of the URI, the amount of bytes sent for each
request/response, the kind of encoding, the parameters' value, etc.

Web
Application Firewalls are appliances, physical or virtual, which
should be full proxies to analyse traffic in both direction (requests
and responses) for blocking malicious
patterns. In fact, this is a Benefit
of Layer 7 Load Balancing, that
along with attack signatures,
they are able to block the most Top
10 Critical Web Application Security Risks
of OWASP. Thanks to the Hack-it-yourself auction website of F5
Networks and my last Ethical
Hacking course, I'm going to show
you some Web Application Vulnerabilities.

Parameter
Tampering

This
is an Insecure Direct Object Reference Attack where the attacker can
access to internal objects like URLs, parameters, files, directories,
hidden fields, and database keys without authorization. For
instance, the attacker can change the account number of the next URL
and he can access to another account without authorization:

http://example.com/app/accountInfo?acct=notmyaccount

Hidden
Field Manipulation

This
is another Insecure Direct Object Reference Attack where
the attacker can get and modify hidden
fields from the HTML for skipping
steps in application wizards, modifying dynamic parameters, changing
the access controls profile in a web application, etc. For
instance, the attacker can change the price of a product in the
client-side with a Web Proxy to buy cheaper in e-commerce
applications.

Forceful
Browsing

This
is a Missing Function Level Access Control where
there are security misconfigurations which can be used for sensitive
data exposure by attackers. For example, the attacker can jump from
www.website.com/ to the
unauthorized resource www.website.com/include
for reading old or backup files in a website compromising passwords.

Cross
Site Scripting (XSS)

This
is a common attack that
runs the hacker's
JavaScript
in the client-side. For example, the attacker can use this kind of
attack for redirecting the browser to a malicious website, stealing
cookies and passwords, or even scanning the internal network. The
JavaScript can be uploaded to our website inside forms or other text
inputs and when clients visit our website, or click the resource,
they will run the malicious script.

Injection
attacks

This
is another common attack where the attacker injects sentences against
an interpreter like SQL, OS or LDAP. The
most common attack is SQL injection (SQLi) where the attacker queries
directly to the database engine for stealing/reading the whole
database, tables and even write or delete data. It can be also used
for bypassing the authentication process in the login form, for
instance, with the next sentence:

SELECT
* FROM users WHERE username = `admin` OR 1=1 `

These are
some Web Application Attacks which are easy to block with a WAF but
very difficult with an IPS or a layer 4 firewall.